GCHQ on passwords: longer and complex passwords not always the best
Complex passwords may not be the lock that prevents your information from being stolen and could in fact make life for users more difficult, the GCHQ has revealed in a new password guidance it released last week.
Passwords, in most online systems, are the only thing that keeps your information safe from hackers. There have been guidance from experts and government authorities on keeping your complex by including letters, numbers and special characters so as to deter hackers, but it seems that GCHQ doesn’t echo these recommendations.
GCHQ is of the opinion that complex passwords may not actually deter hackers, but in turn make life for the users more hard by placing unrealistic demands with many users going into a state which is often referred to as ‘password overload’.
This forces them to resort to tactics such as coming up with passwords that are seemingly complex but actually purely dictionary words by combining small and capital letters, numbers and special characters. There have been instances where they start using the same password for almost all their online accounts and if that’s not helping, they even start writing the password down and either stick it next to their computer screen or keep it below the desktop keyboard.
Hackers have an arsenal of tactics they will employ to get your password and social engineering is one of the most lethal tactic. With dictionary words modified into complex looking passwords, hackers work is actually cut out because imagination of regular users has its limits and this could work to hackers’ advantage.
Some of the tips listed by GCHQ in its latest password guidance may seem like a repeat of what we have seen in other password guidance, but it has a new approach to it with users being the center of the whole guidance. Things like helping users cope with password overload; understanding the limit of user and machine generated passwords; are a few things that address the ‘user’ end of the equation.
There are there things like prioritizing administrators, account lockout policies, and not storing passwords in plain texts that talk about the administration end of the password management tactics.